From: dac.override@gmail.com (Dominick Grift) Date: Wed, 26 Apr 2017 19:58:26 +0200 Subject: [refpolicy] [PATCH v2] locallogin: fix the sulogin submodule (emergency shell!) In-Reply-To: <201704270323.25612.russell@coker.com.au> References: <1492802281.4493.1.camel@trentalancia.net> <201704270220.27679.russell@coker.com.au> <201704270323.25612.russell@coker.com.au> Message-ID: <20170426175826.GB23409@julius> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Apr 27, 2017 at 03:23:25AM +1000, Russell Coker via refpolicy wrote: > On Thu, 27 Apr 2017 02:32:05 AM Guido Trentalancia via refpolicy wrote: > > Unfortunately, your sulogin patch didn't work, so it was not just a matter > > of unneeded permissions! > > > > You can check by yourself that it was missing critical permissions while > > granting unneeded ones... > > It worked for me last time I tested it on Debian. Maybe other distributions > need different permissions. Maybe the Debian sulogin changed to require more > permissions since the last time I tested it. But I don't submit policy based > on what I imagine programs might do, it's based on what I observe them doing. I can confirm that cap_dac_override and cap_sys_admin arent needed for sulogin in debian stretch https://www.youtube.com/watch?v=NBj2W7yiu_c > > > Also, I have already stressed out several times that getty should probably > > run without the sys_admin capability. They didn't want to change it, I am > > not going to tell that again. > > As the previous discussion that I linked to showed there was a situation where > a character could be lost if that permission wasn't granted. I expect that > getty could be changed to address that issue. But I also recall that there > was another issue which I couldn't get the details of in 10 minutes of > Googling. > > > Feel free to submit your sys_admin capability patch for getty, sulogin or > > both. Consider, I have not tested other variations for sulogin, I consider > > the change of minor importance compared to this patch. > > As I have stated several times sulogin has a sole purpose of running a shell > with ultimate privileges and therefore I think that restricting it's access is > futile. > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170426/d3eca139/attachment.bin